1. Field of the Invention
The present invention generally relates generally to security systems, and in particular relates to a method and system for dynamically adjusting a password expiration period based on access patterns of a user accessing a password-protected resource such as a data processing system.
2. Description of the Related Art
Many types of systems have security mechanisms in place that require a user of the system to provide a password in order to access resources of the system. Many of these systems also maintain an expiration time or count that is used to prompt a user to change their password when the expiration time/count occurs. For example, a user may be prompted to change their password after 30, 60 or 90 days from the last time the password was changed.
The location of a user, when accessing a system having a password security mechanism, is in many instances an indicator of how high a degree of risk there is that the security system/password may be compromised. For example, a user who only accesses their employers' computer system and resources within the confines of the employer's physical place of business generally has a lower risk of password compromise that a user who accesses their employers' computer system and resources from home using a telecommunication network to gain access. Similarly, a user who frequently accesses their employers' computer system on the road, such as a frequent business traveler who accesses their employers' computer system and resources from hotels, coffee shops, airports/airplanes, etc. generally has a higher risk of password compromise than either the at-home access or the place-of-business access.
Today's password expiration periods are arbitrarily set to a given period of time, typically by a system administrator, for an entire population of user's of the resource. It would be desirable to provide an automated password expiration method based on the connection and usage risk of a given user.